Problem with DNS dynadot.com2

~]# certbot certonly --standalone -d ***** -d www.**** s.info

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for s.info
http-01 challenge for www.
*** .info
Waiting for verification…
Challenge failed for domain******* .info
Challenge failed for domain www.********info
http-01 challenge for *******s.info
http-01 challenge for www.*****s.info
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: paranoids.info
    Type: dns
    Detail: DNS problem: SERVFAIL looking up A for ******.info - the
    domain’s nameservers may be malfunctioning

    Domain: www.***** .info
    Type: dns
    Detail: DNS problem: SERVFAIL looking up A for www.*******s.info -
    the domain’s nameservers may be malfunctioning

Registar: dynadots.com

Please, help2fix.
10x.

1 Like

Hi @Stoik

there is a check of your domain, ~~one hour old - https://check-your-website.server-daten.de/?q=paranoids.info

2020-02-10.paranoids.info

The parent zone has a valid DS RR, so your zone must be signed with a valid DNSKEY.

But there is no DNSKEY RR, so no chain of trust.

Rechecked with unboundtest - https://unboundtest.com/m/A/paranoids.info/F75QFYL4 - the same:

unbound[14318:0] info: Could not establish a chain of trust to keys for paranoids.info. DNSKEY IN

And your name servers are terrible, TCP port 53 doesn’t work, that’s bad using DNSSEC.

Solution: Remove your DNSSEC complete or fix it.

Defined DS record, but not working DNSSEC -> it’s impossible to create a Letsencrypt certificate

2 Likes

As @JuergenAuer pointed out, this is a definite DNSSEC problem:
https://dnsviz.net/d/paranoids.info/dnssec/
nslookup paranoids.info 8.8.8.8
nslookup paranoids.info 1.1.1.1

1 Like